cve-2020-11054

Vulnerability from cvelistv5

Published

2020-05-07 20:35

Modified

2024-08-04 11:21

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Summary

In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.

References

URL	Tags
security-advisories@github.com	https://bugs.kde.org/show_bug.cgi?id=420902	Issue Tracking, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/issues/5403	Issue Tracking, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j	Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/
security-advisories@github.com	https://tracker.die-offenbachs.homelinux.org/eric/issue328	Broken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.kde.org/show_bug.cgi?id=420902	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/issues/5403	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/
af854a3a-2127-422b-91ae-364da2661108	https://tracker.die-offenbachs.homelinux.org/eric/issue328	Broken Link, Third Party Advisory

Impacted products

	Vendor	Product	Version
	qutebrowser	qutebrowser	Version: < 1.11.1

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:21:14.636Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://bugs.kde.org/show_bug.cgi?id=420902",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
               },
               {
                  name: "FEDORA-2020-fcd5fd47bd",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
               },
               {
                  name: "FEDORA-2020-f0812d6aad",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "qutebrowser",
               vendor: "qutebrowser",
               versions: [
                  {
                     status: "affected",
                     version: "< 1.11.1",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-684",
                     description: "CWE-684: Incorrect Provision of Specified Functionality",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-09-21T01:06:34",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://bugs.kde.org/show_bug.cgi?id=420902",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
            },
            {
               name: "FEDORA-2020-fcd5fd47bd",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
            },
            {
               name: "FEDORA-2020-f0812d6aad",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
            },
         ],
         source: {
            advisory: "GHSA-4rcq-jv2f-898j",
            discovery: "UNKNOWN",
         },
         title: "Incorrect Provision of Specified Functionality in qutebrowser",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2020-11054",
               STATE: "PUBLIC",
               TITLE: "Incorrect Provision of Specified Functionality in qutebrowser",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "qutebrowser",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< 1.11.1",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "qutebrowser",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-684: Incorrect Provision of Specified Functionality",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
                     refsource: "CONFIRM",
                     url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/issues/5403",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
                     refsource: "MISC",
                     url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
                  },
                  {
                     name: "https://bugs.kde.org/show_bug.cgi?id=420902",
                     refsource: "MISC",
                     url: "https://bugs.kde.org/show_bug.cgi?id=420902",
                  },
                  {
                     name: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
                     refsource: "MISC",
                     url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
                  },
                  {
                     name: "FEDORA-2020-fcd5fd47bd",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
                  },
                  {
                     name: "FEDORA-2020-f0812d6aad",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
                  },
               ],
            },
            source: {
               advisory: "GHSA-4rcq-jv2f-898j",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2020-11054",
      datePublished: "2020-05-07T20:35:29",
      dateReserved: "2020-03-30T00:00:00",
      dateUpdated: "2024-08-04T11:21:14.636Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2020-11054\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-05-07T21:15:11.590\",\"lastModified\":\"2024-11-21T04:56:41.400\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.\"},{\"lang\":\"es\",\"value\":\"En qutebrowser versiones anteriores a 1.11.1, el reinicio de una página con errores de certificado muestra una URL verde. Luego que el usuario haya anulado un error de certificado, qutebrowser muestra la URL en amarillo (colors.statusbar.url.warn.fg). Sin embargo, cuando el sitio web afectado fue cargado posteriormente de nuevo, la URL se mostró erróneamente como verde (colors.statusbar.url.success_https). Aunque el usuario ya ha visto un mensaje de error de certificado en este momento (o establece content.ssl_strict en falso, lo cual no se recomienda), esto aún podría proporcionar una falsa sensación de seguridad. Esto se ha corregido en las versiones 1.11.1 y 1.12.0. Se cree que todas las versiones de qutebrowser están afectadas, aunque las versiones anteriores a v0.11.x no pudieron ser probadas. Los parches con backporting para versiones antiguas (posteriores o iguales a la versión 1.4.0 y versiones anteriores o iguales a 1.10.2) están disponibles, pero no se planean nuevas versiones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-684\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.11.1\",\"matchCriteriaId\":\"9ED914DB-F493-4DC0-96DF-ED7B32A0316E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}],\"references\":[{\"url\":\"https://bugs.kde.org/show_bug.cgi?id=420902\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/issues/5403\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://tracker.die-offenbachs.homelinux.org/eric/issue328\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.kde.org/show_bug.cgi?id=420902\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/issues/5403\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://tracker.die-offenbachs.homelinux.org/eric/issue328\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\"]}]}}",
   },
}

fkie_cve-2020-11054

Vulnerability from fkie_nvd

Published

2020-05-07 21:15

Modified

2024-11-21 04:56

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://bugs.kde.org/show_bug.cgi?id=420902	Issue Tracking, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/issues/5403	Issue Tracking, Third Party Advisory
security-advisories@github.com	https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j	Third Party Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/
security-advisories@github.com	https://tracker.die-offenbachs.homelinux.org/eric/issue328	Broken Link, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.kde.org/show_bug.cgi?id=420902	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/issues/5403	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/
af854a3a-2127-422b-91ae-364da2661108	https://tracker.die-offenbachs.homelinux.org/eric/issue328	Broken Link, Third Party Advisory

Impacted products

Vendor	Product	Version
qutebrowser	qutebrowser	*
fedoraproject	fedora	31
fedoraproject	fedora	32

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9ED914DB-F493-4DC0-96DF-ED7B32A0316E",
                     versionEndExcluding: "1.11.1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                     matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                     matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
      },
      {
         lang: "es",
         value: "En qutebrowser versiones anteriores a 1.11.1, el reinicio de una página con errores de certificado muestra una URL verde. Luego que el usuario haya anulado un error de certificado, qutebrowser muestra la URL en amarillo (colors.statusbar.url.warn.fg). Sin embargo, cuando el sitio web afectado fue cargado posteriormente de nuevo, la URL se mostró erróneamente como verde (colors.statusbar.url.success_https). Aunque el usuario ya ha visto un mensaje de error de certificado en este momento (o establece content.ssl_strict en falso, lo cual no se recomienda), esto aún podría proporcionar una falsa sensación de seguridad. Esto se ha corregido en las versiones 1.11.1 y 1.12.0. Se cree que todas las versiones de qutebrowser están afectadas, aunque las versiones anteriores a v0.11.x no pudieron ser probadas. Los parches con backporting para versiones antiguas (posteriores o iguales a la versión 1.4.0 y versiones anteriores o iguales a 1.10.2) están disponibles, pero no se planean nuevas versiones.",
      },
   ],
   id: "CVE-2020-11054",
   lastModified: "2024-11-21T04:56:41.400",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               baseSeverity: "LOW",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.1,
            impactScore: 1.4,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               baseSeverity: "LOW",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.1,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-05-07T21:15:11.590",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Issue Tracking",
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://bugs.kde.org/show_bug.cgi?id=420902",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Broken Link",
            "Third Party Advisory",
         ],
         url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Issue Tracking",
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://bugs.kde.org/show_bug.cgi?id=420902",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
            "Third Party Advisory",
         ],
         url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-684",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

pysec-2020-97

Vulnerability from pysec

Published

2020-05-07 21:15

Modified

2020-09-21 02:15

Details

Impacted products

Name	purl
qutebrowser	pkg:pypi/qutebrowser

Aliases

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "PyPI",
            name: "qutebrowser",
            purl: "pkg:pypi/qutebrowser",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "19f01bb42d02da539446a52a25bb0c1232b86327",
                  },
                  {
                     fixed: "4020210b193f77cf1785b21717f6ef7c5de5f0f8",
                  },
                  {
                     fixed: "a45ca9c788f648d10cccce2af41405bf25ee2948",
                  },
                  {
                     fixed: "021ab572a319ca3db5907a33a59774f502b3b975",
                  },
                  {
                     fixed: "d28ed758d077a5bf19ddac4da468f7224114df23",
                  },
                  {
                     fixed: "6821c236f9ae23adf21d46ce0d56768ac8d0c467",
                  },
                  {
                     fixed: "9bd1cf585fccdfe8318fff7af793730e74a04db3",
                  },
                  {
                     fixed: "f5d801251aa5436aff44660c87d7013e29ac5864",
                  },
                  {
                     fixed: "2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
                  },
                  {
                     fixed: "1b7946ed14b386a24db050f2d6dba81ba6518755",
                  },
               ],
               repo: "https://github.com/qutebrowser/qutebrowser",
               type: "GIT",
            },
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "1.11.0",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
         versions: [
            "0.0.0",
            "0.1.0",
            "0.1.1",
            "0.1.2",
            "0.1.3",
            "0.1.4",
            "0.2.0",
            "0.2.1",
            "0.3.0",
            "0.4.0",
            "0.4.1",
            "0.5.0",
            "0.5.1",
            "0.6.0",
            "0.6.1",
            "0.6.2",
            "0.7.0",
            "0.8.0",
            "0.8.1",
            "0.8.2",
            "0.8.3",
            "0.8.4",
            "0.9.0",
            "0.9.1",
            "0.10.0",
            "0.10.1",
            "0.11.0",
            "0.11.1",
            "1.0.0",
            "1.0.1",
            "1.0.2",
            "1.0.3",
            "1.0.4",
            "1.1.0",
            "1.1.1",
            "1.1.2",
            "1.2.0",
            "1.2.1",
            "1.3.0",
            "1.3.1",
            "1.3.2",
            "1.3.3",
            "1.4.0",
            "1.4.1",
            "1.4.2",
            "1.5.0",
            "1.5.1",
            "1.5.2",
            "1.6.0",
            "1.6.1",
            "1.6.2",
            "1.6.3",
            "1.7.0",
            "1.8.0",
            "1.8.1",
            "1.8.2",
            "1.8.3",
            "1.9.0",
            "1.10.0",
            "1.10.1",
            "1.10.2",
         ],
      },
   ],
   aliases: [
      "CVE-2020-11054",
      "GHSA-4rcq-jv2f-898j",
   ],
   details: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
   id: "PYSEC-2020-97",
   modified: "2020-09-21T02:15:00Z",
   published: "2020-05-07T21:15:00Z",
   references: [
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
      },
      {
         type: "WEB",
         url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
      },
      {
         type: "ADVISORY",
         url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
      },
      {
         type: "WEB",
         url: "https://bugs.kde.org/show_bug.cgi?id=420902",
      },
      {
         type: "REPORT",
         url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
      },
      {
         type: "FIX",
         url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
      },
   ],
}

ghsa-4rcq-jv2f-898j

Vulnerability from github

Published

2020-05-08 19:05

Modified

2024-10-16 21:01

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Summary

Incorrect Provision of Specified Functionality in qutebrowser

Details

Description

After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.

Affected versions and patches

All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested.

The issue is fixed in qutebrowser v1.11.1 (pending release) and v1.12.0 (unreleased). Backported patches for older versions are available, but no further releases are planned.

Mitigation

If you are unable to upgrade:

Treat any host with a certificate exception as insecure, ignoring the URL color
Or set content.ssl_strict to True (instead of 'ask'), preventing certificate exceptions

References

qutebrowser issue: https://github.com/qutebrowser/qutebrowser/issues/5403
Fix (master branch): https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975
Related issue for KDE Falkon: https://bugs.kde.org/show_bug.cgi?id=420902
Related issue for eric6 Web Browser: https://tracker.die-offenbachs.homelinux.org/eric/issue328 (fixed in eric6 20.6)

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "PyPI",
            name: "qutebrowser",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "1.11.1",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2020-11054",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-684",
      ],
      github_reviewed: true,
      github_reviewed_at: "2020-05-08T19:04:30Z",
      nvd_published_at: "2020-05-07T21:15:00Z",
      severity: "LOW",
   },
   details: "# Description\n\nAfter a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false` which is not recommended), this could still provide a false sense of security.\n\n# Affected versions and patches\n\nAll versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested.\n\nThe issue is fixed in qutebrowser v1.11.1 (pending release) and v1.12.0 (unreleased). Backported patches for older versions are available, but no further releases are planned.\n\n# Mitigation\n\nIf you are unable to upgrade:\n\n- Treat any host with a certificate exception as insecure, ignoring the URL color\n- Or set `content.ssl_strict` to `True` (instead of `'ask'`), preventing certificate exceptions\n\n# References\n\n- qutebrowser issue: https://github.com/qutebrowser/qutebrowser/issues/5403\n- Fix (master branch): https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975\n- Related issue for KDE Falkon: https://bugs.kde.org/show_bug.cgi?id=420902\n- Related issue for eric6 Web Browser: https://tracker.die-offenbachs.homelinux.org/eric/issue328 (fixed in eric6 20.6)",
   id: "GHSA-4rcq-jv2f-898j",
   modified: "2024-10-16T21:01:54Z",
   published: "2020-05-08T19:05:05Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2020-11054",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
      },
      {
         type: "WEB",
         url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
      },
      {
         type: "WEB",
         url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP",
      },
      {
         type: "WEB",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/qutebrowser/qutebrowser",
      },
      {
         type: "WEB",
         url: "https://github.com/pypa/advisory-database/tree/main/vulns/qutebrowser/PYSEC-2020-97.yaml",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
         type: "CVSS_V3",
      },
   ],
   summary: "Incorrect Provision of Specified Functionality in qutebrowser",
}

opensuse-su-2024:11292-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

qutebrowser-2.3.1-2.1 on GA media

Notes

Title of the patch

qutebrowser-2.3.1-2.1 on GA media

Description of the patch

These are all security issues fixed in the qutebrowser-2.3.1-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11292

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "qutebrowser-2.3.1-2.1 on GA media",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "These are all security issues fixed in the qutebrowser-2.3.1-2.1 package on the GA media of openSUSE Tumbleweed.",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "openSUSE-Tumbleweed-2024-11292",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11292-1.json",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2018-1000559 page",
            url: "https://www.suse.com/security/cve/CVE-2018-1000559/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2018-10895 page",
            url: "https://www.suse.com/security/cve/CVE-2018-10895/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2020-11054 page",
            url: "https://www.suse.com/security/cve/CVE-2020-11054/",
         },
      ],
      title: "qutebrowser-2.3.1-2.1 on GA media",
      tracking: {
         current_release_date: "2024-06-15T00:00:00Z",
         generator: {
            date: "2024-06-15T00:00:00Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "openSUSE-SU-2024:11292-1",
         initial_release_date: "2024-06-15T00:00:00Z",
         revision_history: [
            {
               date: "2024-06-15T00:00:00Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "qutebrowser-2.3.1-2.1.aarch64",
                        product: {
                           name: "qutebrowser-2.3.1-2.1.aarch64",
                           product_id: "qutebrowser-2.3.1-2.1.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "qutebrowser-2.3.1-2.1.ppc64le",
                        product: {
                           name: "qutebrowser-2.3.1-2.1.ppc64le",
                           product_id: "qutebrowser-2.3.1-2.1.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "qutebrowser-2.3.1-2.1.s390x",
                        product: {
                           name: "qutebrowser-2.3.1-2.1.s390x",
                           product_id: "qutebrowser-2.3.1-2.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "qutebrowser-2.3.1-2.1.x86_64",
                        product: {
                           name: "qutebrowser-2.3.1-2.1.x86_64",
                           product_id: "qutebrowser-2.3.1-2.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "openSUSE Tumbleweed",
                        product: {
                           name: "openSUSE Tumbleweed",
                           product_id: "openSUSE Tumbleweed",
                           product_identification_helper: {
                              cpe: "cpe:/o:opensuse:tumbleweed",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "qutebrowser-2.3.1-2.1.aarch64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
            },
            product_reference: "qutebrowser-2.3.1-2.1.aarch64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "qutebrowser-2.3.1-2.1.ppc64le as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
            },
            product_reference: "qutebrowser-2.3.1-2.1.ppc64le",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "qutebrowser-2.3.1-2.1.s390x as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
            },
            product_reference: "qutebrowser-2.3.1-2.1.s390x",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "qutebrowser-2.3.1-2.1.x86_64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
            },
            product_reference: "qutebrowser-2.3.1-2.1.x86_64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2018-1000559",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2018-1000559",
            },
         ],
         notes: [
            {
               category: "general",
               text: "qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted <title> attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week).",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2018-1000559",
               url: "https://www.suse.com/security/cve/CVE-2018-1000559",
            },
            {
               category: "external",
               summary: "SUSE Bug 1101507 for CVE-2018-1000559",
               url: "https://bugzilla.suse.com/1101507",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 6.1,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.0",
               },
               products: [
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "moderate",
            },
         ],
         title: "CVE-2018-1000559",
      },
      {
         cve: "CVE-2018-10895",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2018-10895",
            },
         ],
         notes: [
            {
               category: "general",
               text: "qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access 'qute://*' URLs. A malicious website could exploit this to load a 'qute://settings/set' URL, which then sets 'editor.command' to a bash script, resulting in arbitrary code execution.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2018-10895",
               url: "https://www.suse.com/security/cve/CVE-2018-10895",
            },
            {
               category: "external",
               summary: "SUSE Bug 1100968 for CVE-2018-10895",
               url: "https://bugzilla.suse.com/1100968",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "critical",
            },
         ],
         title: "CVE-2018-10895",
      },
      {
         cve: "CVE-2020-11054",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2020-11054",
            },
         ],
         notes: [
            {
               category: "general",
               text: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
               "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2020-11054",
               url: "https://www.suse.com/security/cve/CVE-2020-11054",
            },
            {
               category: "external",
               summary: "SUSE Bug 1171425 for CVE-2020-11054",
               url: "https://bugzilla.suse.com/1171425",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.aarch64",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.ppc64le",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.s390x",
                  "openSUSE Tumbleweed:qutebrowser-2.3.1-2.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "moderate",
            },
         ],
         title: "CVE-2020-11054",
      },
   ],
}

gsd-2020-11054

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2020-11054

Aliases

CVE-2020-11054

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2020-11054",
      description: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
      id: "GSD-2020-11054",
      references: [
         "https://www.suse.com/security/cve/CVE-2020-11054.html",
         "https://security.archlinux.org/CVE-2020-11054",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2020-11054",
         ],
         details: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
         id: "GSD-2020-11054",
         modified: "2023-12-13T01:22:05.263631Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "security-advisories@github.com",
            ID: "CVE-2020-11054",
            STATE: "PUBLIC",
            TITLE: "Incorrect Provision of Specified Functionality in qutebrowser",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "qutebrowser",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "< 1.11.1",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "qutebrowser",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
               },
            ],
         },
         impact: {
            cvss: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 3.5,
               baseSeverity: "LOW",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "CWE-684: Incorrect Provision of Specified Functionality",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
                  refsource: "CONFIRM",
                  url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/issues/5403",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
               },
               {
                  name: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
                  refsource: "MISC",
                  url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
               },
               {
                  name: "https://bugs.kde.org/show_bug.cgi?id=420902",
                  refsource: "MISC",
                  url: "https://bugs.kde.org/show_bug.cgi?id=420902",
               },
               {
                  name: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
                  refsource: "MISC",
                  url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
               },
               {
                  name: "FEDORA-2020-fcd5fd47bd",
                  refsource: "FEDORA",
                  url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
               },
               {
                  name: "FEDORA-2020-f0812d6aad",
                  refsource: "FEDORA",
                  url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
               },
            ],
         },
         source: {
            advisory: "GHSA-4rcq-jv2f-898j",
            discovery: "UNKNOWN",
         },
      },
      "gitlab.com": {
         advisories: [
            {
               affected_range: "<1.11.0",
               affected_versions: "All versions before 1.11.0",
               cvss_v2: "AV:N/AC:M/Au:N/C:P/I:N/A:N",
               cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
               cwe_ids: [
                  "CWE-1035",
                  "CWE-684",
                  "CWE-937",
               ],
               date: "2020-09-21",
               description: "After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors. the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false`, which is not recommended), this could still provide a false sense of security.",
               fixed_versions: [
                  "1.11.0",
               ],
               identifier: "CVE-2020-11054",
               identifiers: [
                  "CVE-2020-11054",
                  "GHSA-4rcq-jv2f-898j",
               ],
               not_impacted: "All versions starting from 1.11.0",
               package_slug: "pypi/qutebrowser",
               pubdate: "2020-05-07",
               solution: "Upgrade to version 1.11.0 or above.",
               title: "UI Discrepancy for Security Feature",
               urls: [
                  "https://nvd.nist.gov/vuln/detail/CVE-2020-11054",
               ],
               uuid: "984f2dfe-c019-4211-aebd-4661374ad145",
            },
         ],
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "1.11.1",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2020-11054",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-684",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/19f01bb42d02da539446a52a25bb0c1232b86327",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/4020210b193f77cf1785b21717f6ef7c5de5f0f8",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/a45ca9c788f648d10cccce2af41405bf25ee2948",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/021ab572a319ca3db5907a33a59774f502b3b975",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/d28ed758d077a5bf19ddac4da468f7224114df23",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/9bd1cf585fccdfe8318fff7af793730e74a04db3",
                  },
                  {
                     name: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
                     refsource: "MISC",
                     tags: [
                        "Broken Link",
                        "Third Party Advisory",
                     ],
                     url: "https://tracker.die-offenbachs.homelinux.org/eric/issue328",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
                     refsource: "CONFIRM",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/f5d801251aa5436aff44660c87d7013e29ac5864",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/2281a205c3e70ec20f35ec8fafecee0d5c4f3478",
                  },
                  {
                     name: "https://bugs.kde.org/show_bug.cgi?id=420902",
                     refsource: "MISC",
                     tags: [
                        "Issue Tracking",
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://bugs.kde.org/show_bug.cgi?id=420902",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/issues/5403",
                     refsource: "MISC",
                     tags: [
                        "Issue Tracking",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/issues/5403",
                  },
                  {
                     name: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/qutebrowser/qutebrowser/commit/1b7946ed14b386a24db050f2d6dba81ba6518755",
                  },
                  {
                     name: "FEDORA-2020-fcd5fd47bd",
                     refsource: "FEDORA",
                     tags: [
                        "Mailing List",
                        "Third Party Advisory",
                     ],
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7YWJ5QNHXKTGG5NLV7EGEOKPBVZBA5GS/",
                  },
                  {
                     name: "FEDORA-2020-f0812d6aad",
                     refsource: "FEDORA",
                     tags: [
                        "Mailing List",
                        "Third Party Advisory",
                     ],
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKAZOOTJ2MBHTYVYQQ52NL53F5CB2XAP/",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               acInsufInfo: false,
               cvssV2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 8.6,
               impactScore: 2.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: true,
            },
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 3.5,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               exploitabilityScore: 2.1,
               impactScore: 1.4,
            },
         },
         lastModifiedDate: "2023-01-27T15:00Z",
         publishedDate: "2020-05-07T21:15Z",
      },
   },
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2020-11054

Vulnerability from cvelistv5

fkie_cve-2020-11054

Vulnerability from fkie_nvd

pysec-2020-97

Vulnerability from pysec

ghsa-4rcq-jv2f-898j

Vulnerability from github

Description

Affected versions and patches

Mitigation

References

opensuse-su-2024:11292-1

Vulnerability from csaf_opensuse

gsd-2020-11054

Vulnerability from gsd

Tags

Sightings

Nomenclature